E. Teske, Speeding Up Pollard's Rho Method for Computing Discrete Logarithms, Algorithmic Number Theory Symposium III (LNCS 1423), Springer-Verlag, Berlin, 1998, pp. 541--554.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....algebra modulo #JC (k) but Gaudry [31] was the rst to present an index calculus algorithm designed with this in mind. His algorithm follows the outline described above as Strategy 2. After the factor base S is constructed (only degree 1 prime divisors are included) a random walk a la Teske [80] is performed in the set of reduced divisors equivalent to D 1 D 2 : Each 1 smooth divisor encountered yields a relation, and the remainder of the algorithm proceeds as described above. In addition to faster linear algebra modulo #JC (k) the process of generating relations is quite ....

E. Teske, \Speeding up Pollard's rho method for computing discrete logarithms", Algorithmic Number Theory, LNCS 1423, 1998, 541-554.

....c and d can easily be computed from a and b. The originally suggested function by Pollard (for Z; can be generalized towards arbitrary cyclic groups as hx if x C ; f(X) X 2 if x C ,q2; gx if x S 3. Here, 2 and 3 are three sets of roughly the same size which form a partition of . In [12,13], Teske shows that this function is not random enough and gives a better function: f(x) x.g sh 8, ifxA s fors 1, r andr20. Here again, the A s are of roughly the same size and form a partition of G. But this time, G is partitioned into more than three subsets. For both functions, it is of ....

....we based our time and space analysis. We will now elaborate on how realistic these assumptions are in an actual implementation. Randomness of the function: For our analysis, we assumed that the iteration function is perfectly random and therefore produces uniformly distributed group elements. In [12,13], Teske shows that the function suggested by her behaves practically like a truly random function if the group elements are partitioned into about 20 subsets. All collisions are useful: A collision reveals two representations of the form gah 6a and g h 6 of the same group element. If bi bj (mod ....

E. Teske, Speeding up Pollard's Rho Method for Computing Discrete Logarithms, in Proceedings of ANTS Ill The 3rd fnternational Symposium on Algorithmic Number Theory, J.P. Buhler, Ed., Lecture Notes in Computer Science, Vol. 1423, pp. 351-357, Berlin: Springer, 1998.

....nding algorithm it suces to compare w i to w 2i for i = 1; 2; see [53] A pictorial description of the sequence (w i ) # i=0 is given by a (the Greek character rho) starting at the tail of the it iterates until it bites in its own tail, and cycles from there on. 36 As shown in [111] partitioning G into only three sets does in general not lead to a truly random walk. In practice that means that the collision occurs somewhat later than it should. Unfortunately a truly random walk is hard to achieve. However, as also shown in [111] if G is partitioned into substantially more ....

....and cycles from there on. 36 As shown in [111] partitioning G into only three sets does in general not lead to a truly random walk. In practice that means that the collision occurs somewhat later than it should. Unfortunately a truly random walk is hard to achieve. However, as also shown in [111], if G is partitioned into substantially more than 3 sets, say about 15 sets, then the collision occurs on average almost as fast as it would for a truly random walk. An improvement of Floyd s cycle nding algorithm is described in [15] Parallelization. If m processors run the above method ....

E. Teske, Speeding up Pollard's rho methods for computing discrete logarithms, Proceedings ANTS III, LNCS 1423, Springer-Verlag 1998, 541-554.

....group comes equipped with the fast arithmetic developed for nite elds but also with a subexponential algorithm for computing the discrete logarithm. Since this index calculus attack does not carry over to the elliptic curves, only general techniques like Pollard s rho and kangaroo method (see [40, 43, 44, 60]) apply, unless the curve has a special structure, for example is supersingular (see Frey and R uck [8] and Menezes, Okamoto, and Vanstone [32] or the group order is divisible only by small primes, thus weak under the Pohlig Hellman attack [41] But there is a big drawback one addition on an ....

E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, in: Algorithmic Number Theory Seminar ANTS-III, Lecture Notes in Computer Science 1423, (Springer 1998), 541-554.

....a i g t. Enge Gaudry Index Calculus Algorithm. The main ideas of the Enge Gaudry index calculus algorithm are the following. First build a factor base S = fP 1 ; P 2 ; Pw g consisting of all prime divisors of degree t for some bound t. One then performs a random walk ( a la Teske [41]) in the set of reduced divisors equivalent to divisors of the form D 1 D 2 and stores the t smooth divisors encountered in this walk each t smooth divisor yields a relation i D 1 i D 2 R i = P j e ij P j . When w 1 di erent relations have been found, one can nd by linear algebra ....

E. Teske, \Speeding up Pollard's rho method for computing discrete logarithms", Algorithmic Number Theory, LNCS 1423, 1998, 541-554.

....iterator can be replaced by more complex iterators to achieve better running times. A recent effort to solve a specific instance of the ECDLP used a 16 part iterator that performed to within 3 of the expected time [3] Edlyn Teske has written a technical report on the selection of the iterator [14]. The running time of the rho algorithm was recently improved upon by a constant factor; see [15] 3.4 Pollard s Lambda Method This is a variant Pollard proposed for use when the index of the unknown group element A is known to lie in a certain interval. The original paper presents this method as ....

E. Teske. Speeding up pollard's rho method for computing discrete logarithms. www.informatik.tu-darmstadt.de/TI/Veroeffentlichung, 1998.

....ECC2 353. 3. Koblitz curves over F 2 m , where m is prime: ECC2K 95, ECC2 108, ECC2 130, ECC2 163, ECC2 238, and ECC2 358. Results of the Challenge. Escott et al. 19] report on their 1998 implementation of the parallelized Pollard s rho algorithm which incorporates some improvements of Teske [93]. The hardest instance of the ECDLP they solved was the Certicom ECCp 97 challenge. For this task they utilized over 1200 machines from at least 16 countries, and found the answer in 53 days. The total number of steps executed was about 2 Theta 10 14 elliptic curve additions which is close to ....

E. Teske, "Speeding up Pollard's rho method for computing discrete logarithms", in J.P. Buhler, editor, Algorithmic Number Theory, Proceedings Third Intern. Symp., ANTS-III, Lecture Notes in Computer Science, 1423 (1998), Springer-Verlag, 541-554.

....FIELDS 11 number. Of course, Pollard s lambda method also applies to solving the discrete logarithm problem in real quadratic function fields provided that one knows that the discrete logarithm lies in a given interval. A generalization of Pollard s rho method and its parallelized versions (see [Pol78, Tes98, vOW99, Pol]) to function fields can be employed as well by applying similar ideas as in Section 4. We suggest this method for the case that one has no additional information on the size of the regulator or the class numbers. ....

E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, Algorithmic Number Theory Seminar ANTS-III, Lecture Notes in Computer Science, vol. 1423, Springer-Verlag, 1998, pp. 541--554.

....product of the form a k b l may be chosen as a start value. The sequence of exponents of a produced by this definition are computed by e i 1 = e i 1 and e i 1 = 2e i , starting from some e 0 = k xl. A theoretical result about the randomness of that sequence seems not to be known. Teske [27] constructs a sequence where a distribution which is close to uniform can be proven. Her construction partitions G into 20 subsets S 1 ; S 20 and replaces the definition of d i 1 above by d i 1 : m k d i ; d i 2 S k and 1 k 16 d 2 i ; d i 2 S k and 17 k 20; where the m k are ....

E. Teske. Speeding up pollard's rho method for computing discrete logarithms. In Algorithmic Number Theory -- ANTS III, number 1423 in Lecture Notes in Computer Science, 1998.

....no subexponential algorithm for solving the discrete logarithm problem (ECDLP) in the elliptic point group of a general elliptic curve is known, elliptic curve cryptosystems became a popular choice for implementations. The fastest knows attack to the ECDLP is the parallelized Pollard s rho method [18, 21, 27]. In an elliptic curve public key protocol the most important operation is the scalar multiplication by a positive integer m. That means computing mP for a point P on an elliptic curve. For example, the complexity of the ElGamal encryption scheme [4] and the Diffie Hellmann key agreement protocol ....

Teske, E.: Speeding up Pollard's rho method for computing discrete logarithms. In: Algorithmic Number Theory Seminar ANTS-III. Lecture Notes in Computer Science, Vol. 1423. Springer-Verlag, Berlin Heidelberg New York (1998) 541--554

....iteration function is a random function, whereas an iteration with only three options is not very random. This suggest that having more than three iterators in the iteration function may be better as it produces a more random function. This idea is supported by Blackburn and Murphy [1] and Teske [10] who have considered single processor Pollard rho. Table 2 gives the number of iterations needed to solve the ECDLP using several iteration functions. The expected number of iterations for each curve is calculated using p n 2 where n is the group size. The original iteration function is clearly ....

E. Teske. Speeding up pollard's rho method for computing discrete logarithms. In Proceedings of Algorithmic Number Theory Seminar ANTS-III, number 1423 in Lecture Notes in Computer Science, pages 541-554. Springer-Verlag, 1998.

....creates an additive random walk in Z=nZ since each point R i can be written as R i = u i ]P [v i ]Q for which u i 1 u i u (j) mod n; v i 1 v i v (j) mod n: Satler and Schnorr [35] have shown that the above approach is su ciently random if r 8. Teske has found experimentally [43] that a value of r 20 is more convenient. 2.3.2 A multiplicative random walk One can also use a function f built with xed multipliers ( j ) 0 j r , j de ned modulo n. We de ne: f(R) j ]R where j = H(R) as above. In this version, we would in fact compute: f(R) 2 4 r 1 Y j=0 ....

E. Teske. Speeding up Pollard's rho method for computing discrete logarithms. In J. P. Buhler, editor, Algorithmic Number Theory, volume 1423 of Lecture Notes in Comput. Sci., pages 541-554. SpringerVerlag, 1998. Third International Symposium, ANTS-III, Portland, Oregon, june 1998, Proceedings.

....in an interval of length at most m. Hence cryptosystem designers have to be careful not to limit the range in which discrete logs lie. The running times of the Shanks and Pollard algorithms have not been improved to any substantial extent. Only improvements by constant factors have been obtained [Pollard2, Teske, VanOorschotW]. There has been progress, on the other hand, in obtaining fast parallel versions [Pollard2, VanOorschotW] in which the elapsed time for the computation shrinks by a factor that is linear in the number of processors used. For the latest applications of these techniques to elliptic curve ....

E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, pp. 541-- 554 in Algorithmic Number Theory: Third Intern. Symp., ANTS-III, J. P. Buhler, ed., Lecture Notes in Math. #1423, Springer, 1998.

No context found.

E. Teske, \Speeding up Pollard's rho method for computing discrete logarithms", Algorithmic Number Theory, LNCS 1423, 1998, 541-554.

No context found.

E. Teske, \Speeding up Pollard's rho method for computing discrete logarithms", Algorithmic Number Theory, LNCS 1423 (1998), 541-554.

....if maxfdeg a i g t. In the Enge Gaudry algorithm, a smoothness bound t is rst chosen. Next, the factor base fP 1 ; P 2 ; Pw g is constructed for each prime divisor D = div(a; b) of degree t, exactly one of D and D is included in the factor base. Then, a random walk ( a la Teske [33]) is performed in the set of reduced divisors equivalent to divisors of the form D 1 D 2 and the t smooth divisors encountered in this walk are stored each t smooth divisor yields a relation i D 1 i D 2 R i = P j e ij P j . When w 5 di erent relations have been found, one can nd by ....

E. Teske, \Speeding up Pollard's rho method for computing discrete logarithms", Algorithmic Number Theory, LNCS 1423, 1998, 541-554.

....group elements, G = hg; hi. Let r be a small positive integer: r 2 [3; 100] We need a partitioning of G = T 1 [ T r with roughly equally large sets T s . For this, we take a hash function v : G f1; rg and de ne T s : fy 2 G : v(y) sg ; s = 1; r. A popular example (see [Tes98b]) is the 20 adding walk, which works with r = 20 sets T s and is generated by an iterating function of the form F (y) y M v(y) where the multipliers M 1 ; M 20 are computed according to the rule M s = g ms h ns with m s and n s randomly chosen from f1; jGjg. We compute y ....

E. Teske. Speeding up Pollard's rho method for computing discrete logarithms. In Algorithmic Number Theory Seminar ANTS-III, volume 1423 of Lecture Notes in Computer Science, pages 541-554. Springer-Verlag, 1998.

....class number. Of course, Pollard s lambda method also applies to solving the discrete logarithm problem in real quadratic function fields provided that one knows that the discrete logarithm lies in a given interval. A generalization of Pollard s rho method and its parallelized versions (see [Pol78, Tes98, vOW99, Pol]) to function fields can be employed as well by applying similar ideas as in Section 4. We suggest this method for the case that one has no additional information on the size of the regulator or the class numbers. ....

E. Teske. Speeding up Pollard's rho method for computing discrete logarithms. In Algorithmic Number Theory Seminar ANTS-III, volume 1423 of Lecture Notes in Computer Science, pages 541--554. Springer-Verlag, 1998.

....j ; y j ) with j 1:25 Delta max( 2; However, this bound is not sharp. Therefore, we define the expected delay factor ffi as the ratio E(l( where l( denotes the number of steps until a match is found. For our match finding algorithm, we found experimentally that ffi 1:13 (cf. [Tes98c]) This implies that if the iterating function behaves like a random mapping, we expect to find a match after approximately 1:13 Delta p jGj=2 = 1:416 : p jGj (2.2) 4 EDLYN TESKE steps. Let L 0 = 1:416. Later, we compare this number with the experimentally determined average values ....

....groups. Now, the question is whether r adding walks achieve the same performance as a random random walk would do, and, if this is the case, how should the parameter r be chosen. Experiments with elliptic curve subgroups of prime group orders up to 13 digits show that r = 20 is a good choice: In [Tes98c] we observed that the average values for L were convincingly stable for different sizes of group orders, and very close to the random case value L 0 = 1:41. We will see in Section 5 that 20 adding walks are suitable for simulating random random walks for any size of group orders. We next report ....

E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, Algorithmic Number Theory Seminar ANTS-III, Lecture Notes in Computer Science, vol. 1423, Springer-Verlag, 1998, pp. 541--554.

....kangaroo method successfully in the variant of van Oorschot and Wiener as described in Section 4 together with the aforementioned improvements. We now provide examples for 2 and 16 kangaroos. We used a set of jumps S with l = 50 elements; we believe that arguments similar to the ones given in [Tes98] will show that a choice of l 20 elements is sucient. We de ne a distinguished point to be a reduced ideal a = Q; P ) 2 Q for which the lowest F bits of last(Q) are 0 (In the non baby step setting we let = 1. For example, we can choose F = blog 2 Lc=2 such that = 1=2 F 1= p L, ....

....nd (a) 0 (a) R. Then, of course, Pollard s kangaroo method also applies to solving the discrete logarithm problem in real quadratic function elds, if one knows that the discrete logarithm lies in a given interval. A generalization of Pollard s rho method and its parallelized versions (see [Pol78, Tes98, vOW99, Pol]) to function elds can be employed as well by applying similar ideas as in Section 4. This method is preferable if one has no additional information on the size of the regulator or the class numbers. Acknowledgments: We are grateful to John M. Pollard for fruitful comments on [ST99a] ....

E. Teske. Speeding up Pollard's rho method for computing discrete logarithms. In Algorithmic Number Theory Seminar ANTS-III, volume 1423 of Lecture Notes in Computer Science, pages 541-554. Springer, 1998.

No context found.

E. Teske, Speeding Up Pollard's Rho Method for Computing Discrete Logarithms, Algorithmic Number Theory Symposium III (LNCS 1423), Springer-Verlag, Berlin, 1998, pp. 541--554.

No context found.

E. Teske. Speeding up pollard's rho method for computing discrete logarithms. In Algorithmic Number Theory -- ANTS III, number 1423 in Lecture Notes in Computer Science, 1998.

No context found.

E. Teske, Speeding up Pollard's rho method for computing discrete logarithms, Algorithmic Number Theory: Third International Symposium, Lecture Notes in Computer Science, 1423 (1998), Springer-Verlag, pp. 541554. 46

No context found.

E. Teske, \Speeding Up Pollard's Rho Method for Computing Discrete Logarithms. " Algorithmic Number Theory Symposium III: ANTS-III (LNCS 1423):541{ 554, 1998.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC